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SYSTEM AND METHOD FOR SECURE TRANSACTIONS OVER A NETWORK 
Field of the Invention 

5 The present invention relates to a method and system for secure 

transactions over a network and more specifically to a system and method for 
providing secure and reliable transactions over an un-manages insecure 
communication network. 

10 Background of the Invention 

It is well known that transaction networks are useful for providing a variety 
of electronic services in a secure and reliable manner. There are many examples 
of such transaction networks including: automatic bank teller machine networks; 
15 airline ticket kiosk networks; and credit card authorization machine networks to 
name a few. 

A transaction network (TN) is a geographically distributed collection of 
interconnected computers, data-servers, and switching and routing elements that 

20 co-operate to effect a particular service. A TN typically includes one or more 

access points or gateways through which information is obtained from or delivered 
to the TN. For example, a credit card processing would typically include at least 
two access points. One access point for allowing end users to input and receive 
information to and from the TN, and a second access point for communication that 

25 information to and from the TN to a credit card server. 

Typically, transaction networks are built over private networks. A private 
network is one which is not available for public use. One type of private network 
utilized for transaction purposes is a packet-switched network. A packet-switched 

30 network is a network which transmits electronic messages by breaking up the 
message into smaller messages known as packets. These packets are then 
"switched" or transmitted over the network from a sending to receiving computer. 
Switching refers to a technology wherein each packet is identified by a destination 
address and transmitted individually over a network. Thus, unlike telephony circuit 

35 switching which requires a constant point-to-point circuit to transfer a message, 
packet-switching allows each message to take a different path over th n twork to 
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its destination. Upon r ceiving the entir set of packets comprising the complete 
electronic messag , the destination computer then ass mbles the packets into their 
proper sequence to obtain the message. A private packet-switching network is 
merely a packet-switched network which is unavailable for public communication 
5 purposes. Typically this is achieved by adding security features to the network to 
prevent access by unauthorized person. 

Private packet-switched networks are most often utilized in transaction 
networks as a result of the high level of security they provide. First, given the 

10 private nature of the network, it is much more difficult for potential computer 
hackers (thieves) to obtain access to the network. Second, as a result of the 
messages being transmitted via the packet-switching technology outlined above, it 
is much more difficult for hackers to intercept and re-assemble entire messages. 
This is particularly true when the individual packets are electronically encrypted 

15 before being transmitted. 

One drawback to utilizing a private, packet-switched data netwprk, however, 
is the excessive cost of such networks. This is because the owner of such a 
" network must first build the network and then pay fees to maintain the associated 
20 private circuits. These maintenance costs can be significantly greater than those 
associated with a public data network. Furthermore, private data networks also 
suffer from limited availability in remote areas. 

It is also well known that public packet-switched data networks, such as the 
25 Internet, offer tremendously efficient means of organizing and distributing 

computerized data. The cost of utilizing the Internet for transmitting data is also 
considerably less than that for private data networks. Furthermore, the bandwidth 
associated with the Internet can often greatly exceed that available to private 
networks. The Internet, however, has several drawbacks for interconnecting 
30 transaction networks. First, as a result of being a public network, data transmitted 
over the Internet is available to public viewing at all times. Second, the Internet 
does not offer central management or co-ordination which can provide quality of 
service assurances to its users. Third, the routing of data between various points 
on the Internet can be sub-optimal resulting in inordinate network delay. Finally, 
35 the various links and routing elements utilized in the Internet can fail or become 
congested resulting in unpredictable network performance. 



SUBSTITUTE SHEET (RULE 26) 



WO ,01/20430 



-3- 



PCT/CAOO/01073 



Several attempts have been made to address the aforementioned problems 
associated with Internet communications. One such attempt involves using 
encryption routers to encrypt data prior to being transmitted over the Internet. An 

5 encryption router is basically a computer which performs the function of encrypting 
or decrypting information which is being transmitted over a communication network. 
Networks which are constructed using encryption routers and public networks to 
connect the participating computers or networks are known as "virtual private 
networks" (VPN). VPNs are well known in the art of electronic data 

10 communication. 

Internet-based VPN's, however, have a number of drawbacks which limit 
their use for secure transaction network purposes. These drawbacks are best 
explained with references to Figures 1 and 2. 

15 

Figure 1 shows the Open System Interconnection (OSI) standard for 
worldwide communications 100 as is shown in the art. The standard is an ISO 
standard (International Organization for Standardization) which specifies standards 
for seven layers of computer communications. The seven layers are: (i) physical 

20 layer - for passing and receiving bits onto and from the connection medium 102; (ii) 
data link layer - for ensuring node to node validity and integrity of the transmission 
104; (iii) network layer - for establishing the route between the sending and 
receiving nodes 106; (iv) transport layer - for overall end to end validity and 
integrity of the transmission 108; (v) session layer - for providing coordination of 

25 the communications between the connected parties as marking significant parts of 
the transmitted data with checkpoints to allow for fast recovery in the event of a 
connection failure 110; (vi) presentation layer - for negotiating and managing the 
way data is represented and encoded when data is transmitted between different 
computer types 112; and (vii) application layer - for defining the language and 

30 syntax that the programs use to communicate with other programs 1 14. 

Referring now to Figure 2, a schematic representation of an electronic 
message being communicated over a VPN is shown. Note, the transmission is 
shown in the context of the OSI model referred to in Figure 1 . Starting at a source 
35 node 122, an electronic message stating "HELLO" is sent over a local area network 
(LAN) 124 towards th Internet 128. On rout to the Internet the messag is 
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encrypted by a VPN router 126 such that the message now reads "xyOlhapQU". 
The message is then re-transmitted over the Internet 128 towards the destination 
node 134. Upon the message being received at the LAN 132 to which the 
destination node is connected, the message is decrypted by another VPN router 
5 130. The de-encrypted message is then forwarded to the destination node 134. 

As is apparent from Figure 2, one can see that only the un-encrypted 
message ("HELLO") utilizes all seven layers of the OSI model. That is to say the 
un-encrypted message is transmitted according to the full OSI model such that the 

10 receiving node can monitor, interpret and utilize the message within the context of 
the communication dialogue existing between the nodes. Referring to the VPN 
routers (126 and 130), however, one can see that the encrypted message only 
utilizes the lowest three layers of the OSI model. This means that the encrypted 
data only conforms to the physical, data link and network layer standards 

15 prescribed by the OSI model. The encryption and de-encryption stages are only 
concerned with: the physical passing of information from and onto the connection 
medium; the node to node validity of the message; and the route the message will 
follow between the sending and receiving stations (in this instance the VPN routers 
■ 126 and 130). I 

20 

As a result of only utilizing the lowest three layers of the OSI model for their 
functions, VPNs are unable to provide a full set of redundant safeguards against 
lost data or failed hosts. There is no way for the network to detect these problems 
as this would require the encrypted message to utilize the standard prescribed in 

25 the transport layer (layer 4). Furthermore, by merely relying on the lowest three 
layers of the OSI model the VPN is unable to automatically recover from system 
crashes of individual nodes in the network. This is because the protocols for 
managing the dialogue between communication parties exists in the session layer 
of the OSI model (layer 5). Thus, in the event of a crash or failure of an individual 

30 node in the network, the VPN would be unable to automatically determine the 
states of the communicating parties prior to the crash. VPNs, therefore, merely 
provide a secure physical conduit for transmitting information from one node to the 
next. They do not, however, provide a secure and reliable transaction service 
which can compensate for various network problems such as lost packets, failed 

35 hosts or system crashes, or us r needs such as transaction back-out or roll-back. 
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VPNs also suffer an additional drawback which negatively aff cts their 
ability to provide secure transactions. This drawback is the inability of such 
networks to automatically modify and update the algorithms and keys utilized for 
message encryption. 

A need exists, therefore, for an improved method for communicating 
information over a public network, when it is used as a transaction network. 



Summary of the Invention 

It is therefore an object of the invention to provide a system and method 
which obviates or mitigates at least one of the disadvantages described above. 

One aspect of the invention is defined as a method for providing secure 
transactions over a packet-switched communication network comprising the steps 
of : transmitting a probe packet to an adjacent node; receiving a plurality of 
response packets to the probe specifying the capacity of a plurality of transmission 
paths; and transmitting a data packet to a destination node on one of the 
transmission paths based on the responses. 

Another aspect of the invention is defined as a method for providing secure 
transactions over a packet-switched communication network comprising the steps 
of: receiving a probe from an adjacent node; forwarding the probe to at least one 
other adjacent node in response to receiving the probe at a node which is not a 
destination node; and sending a reply in response to receiving the probe, when the 
probe is received at a destination node. 



Another aspect of the invention is defined as a method for providing secure 
transactions over a packet-switched communication network comprising the steps 
30 of: receiving an encrypted data packet; de-encrypting the encrypted data packet 
using a current encryption key; deriving a new encryption key from the current 
encryption key using a key generating algorithm; defining the new encryption key 
as the current encryption key; encrypting the data packet using the current 
encryption key; and transmitting the data packet to an adjacent node. 
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Another aspect of the invention is defined as a method for transmitting an 
electronic transaction m ssage comprising a plurality of data packets comprising 
the steps of: adding at least one of a time stamp or a message identifier number to 
each of the plurality of data packets; storing a portion of each of the data packets in 
5 an electronic transaction database; and recovering a previous state of the 

electronic transaction database using the added at least on of a time stamp or a 
message identifier number. 



10 Brief Description of the Drawings 

These and other features of the invention will become more apparent from 
the following description in which reference is made to the appended drawings in 
which: 

15 

Figure 1 presents a schematic representation of the Open System 
Interconnection (OSI) standard; 

Figure 2 presents a schematic representation of data being communicated 
20 over a Virtual Private Network as is know in the prior art; 

Figure 3 presents a schematic representation of a system for providing 
secure-transactions over an insecure communication network in accordance with 
an embodiment of the present invention; 

25 

Figure 4A presents a flow chart of a method for sending a probe to 
determine the capacity of a communication path within a system from providing 
secure transactions over an insecure network in a preferred embodiment of the 
invention; 

30 

Figure 4B presents a flow chart of a method for sending a response to a 
probe to determine the capacity of a communication path within a system for 
providing secure transactions over an insecure communication network in a 
preferred embodiment of the invention; 
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Figure 5A presents a flow chart of a method for transmitting a message 
over a system for providing secure-transactions over an insecure communication 
network in a preferred embodiment of the invention; 

5 Figure 5B presents a flow chart of a method for receiving a message over a 

system for providing secure-transactions over an insecure communication network 
in a preferred embodiment of the invention; 

10 Detailed Description of the Invention 

The present invention is directed to a method and system for providing a 
secure and reliable transactions over an un-managed insecure communication 
network. 

15 

A schematic representation of a system for providing secure transactions 
over an un-managed insecure communication network is shown in Figure 3. The 
system is hereinafter referred to as a Virtual Transaction Network (VXN). As 
shown in Figure 3 the VXN 300 consists of a plurality of computers, or nodes, 

20 interconnected over a packet-switched communications network. The nodes 
utilized in the VXN system are referred to as master nodes. The components 
utilized in the within the master nodes are described in further detail below. 
Referring again to Figure 3 one can see that the VXN includes six master nodes 
(301, 302, 303, 304, 305 and 306). Also shown in Figure 3 is a transaction server 

25 308 and a user interface 31 0 attached to master nodes 303 and 305 via gateways 
314 and 316 respectively. These components are also described in further detail 
below. 

Figure 3 also shows the various nodes within the VXN being interconnected 
30 oyer the Internet 312. The VXN, however, is not limited to being connected over 
the Internet and could, therefore, be applied to any public packet-switched network 
or combination of private and public packet-switched networks. 

In order to effect a service offered by the VXN, an end user must first be 
35 able to communicate with the network. The end user performs this task by utilizing 
a user interface 310 which is attached to one of the master nodes 306 in the VXN 
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via a gateway 314. As will be apparent to one skilled in the art, a gateway is a 
device that functions as an entrance or exit point to a network. One should also 
note that while the user interface shown for accessing the VXN system is a 
computer terminal 310, the invention is not limited in this manner. The end user 

S could just as easily access the VXN using a number of different devices including a 
lap-top, smart terminal, personal digital assistant, Internet-ready telephone, 
telecommunications switch, World Wide Web server, or other similar interfaces as 
are known in the art. Furthermore, one should note that the aforementioned user 
interface and gateway do not have to be physically distinct from the corresponding 

10 master as shown in Figure 3. These components could easily be incorporated into 
the master node itself. 

Once the user has decided to utilize the system, the VXN must be able to 
communicate information between an end user and a transaction server 30 8. A 

15 transaction server is a computer or device on the network that manages the 
network resources provided by the VXN system. Typically a server consists of a 
CPU for performing the various functions of the server, and a storage device for 
storing information necessary to the performance of the server. For example, in 
the context of a VXN providing airline service, the transaction server would perform 

20 numerous functions including: providing information about available flights; booking 
flights; and providing electronic tickets to name a few. As will be apparent to one 
skilled in the art, a transaction server can be connected to a master node through a 
gateway 316 as described above. In the preferred embodiment of the invention the 
aforementioned transaction server also contains accounting means for billing 

25 purposes. 

Although only a single transaction server is shown in Figure 3, the present 
invention could easily include a number of different transaction servers for 
providing different services. In the case of multiple transaction servers, the VXN 

30 would route messages to the appropriate server based on the type of service 
chosen by the end user. Similarly, one could distribute various parts of a single 
transaction to different servers as needed. Using the airline kiosk example again, 
one part of the transaction could be routed to an airline server for finding a ticket, 
while a second part of the transaction could be routed to a credit card server for 

35 purchasing that ticket. 
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One should also note that although Figure 3 depicts the transaction server 
308 as being a single computer, the invention is not limited in this manner. Rather, 
the server could consist of a number of networks or computers which are 
interconnected to provide the previously mentioned transaction server functions. 

5 

Referring again to Figure 3, one can see that the transaction server 308 is 
shown as being physically distinct from its corresponding master node. One should 
note, however, that this is purely for demonstration purposes as the functions of the 
master node and its corresponding transaction server could easily be carried out by 
10 a single computing device. 

The master nodes 301, 302, 303, 304, 305 and 306 form the core of the 
VXN system. The master nodes, similar to the transaction server 308, are servers 
consisting of a CPU and an associate storage device. In a preferred embodiment 
15 the master nodes are stored at physically secure locations. This means that the 
master nodes are stored in such locations that adequate and reliable cooling, 
backup power and physical security are provided. The master nodes perform 
various functions related to the operation of the VXN which is outlined below. 

20 First, each master node is capable of packetizing electronic messages for 

transmission over the VXN and assembling packetizing messages which are 
received. Note, the process of packetizing messages typically occurs in the first 
node of transmission path that receives the electronic message. Similarly, the 
process of assembling packetized messages typically occurs in the final node of a 

25 transmission path only (f.e. the master node linked to the destination transaction 
server). The concept of d etermining the transmission path for routing data p ackets 
is described below in further detail with respect to Figure 5. One should note, 
however, that it is not necessary that every master node be capable of performing 
the packetizing and assembling functions. Intermediate master nodes in a 

30 transmission path do not need this function because they will only be receiving and 
transmitting individual data packets. In the preferred embodiment of the invention, 
^ however, each master node is capable of these functions so that these ^ — 
intermediate nodes are capable of becoming a transaction o(dientnod^as the 
need arises. The process of packetizing and assembling is well known to one 

35 skilled in the art of packet-switch d network communications. 
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Second, ach master node is acts as a routerto forward message packets ffo«fc ^ W 
to adjacent nodes bas d on a transmission path det rmin dbytheVXN. A 
flowchart outlining th various steps for transmitting and receiving message 
packets in a preferred embodiment of the invention is described in further detail 
5 below with reference to Figures 5A and 5B. 

As part of the transmitting and receiving capabilities of the master nodes, 
each master is further capable of performing a number of related functions. For 
example, when transmitting a message packet, each master node is capable of 
10 attaching or including a checksum and unique message ID with each data packet 

As will be apparent to one skilled in the art, a checksum is utilized to ensure the ^ 
overall validity of a packet after it is transmitted. The message ID, on the other f> 
hand, identifies the data packets as being par#of the original electronic message. 

15 Another capability of the master nodes which is related to the transmitting ^ ^ 

and receiving functions is the ability to store transmitted and received data packets. sV*^ 
The purpose of storing a data packet along with its message ID is to ascertain and 
restore the network to its state immediately preceding a system failure. This is 
. achieved by storing the aforementioned information along with a timestamp. By ? 

20 performing this function the VXN ensures that the loss of one or more master 

nodes does not affect the integrity of the network. The updating of a VXN following 
a system crash is described below in further detail. 

By storing copy of a data packet and its corresponding message ID the 
25 VXN can also ensure that each transaction over a transaction network only occurs 
once. This is achieved by identifying and discarding multiple transmissions of the 
same data p ackets which are received within a specific time period . The VXN 
n 7 h ~T^77 Y mQm . v sttarhing the same message ID to data packets in the ? 
event that an end user commands the same function multiple times within a 
30 specified time period. In the context of a VXN providing banking services, this is an ^ 
important feature, as it can prevent an end user from unwantedly debiting of an M'f ^ 
account twice during the same transaction. * 1**"* 

In order to be able to restore the network to its state immediately P rece ding^ , 
35 a system crash each master is. th refore. capable of tocking.the VXN and •* ^ ' 
performing a system update. A system update is a process wh r by an updating 
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master sets flag in each other master within the VXN to ensure that no other 
system updates can occur. The master then directs the masters to "roH-back" their 
operations to a time period immediately preceding a system failure. This is f 
achieved by utilizing the aforementioned timestamps, message IDs and data 

5 packets stored in the various master nodes. By performing this task, therefore, the 
system can continue operating notwithstanding the loss of a node or several nodes. 
In a preferred embodiment of the invention 5 information such as the data packets, 
time stamps and message Ids are periodically purged from the masters as they 
become outdated. For example the aforementioned information could be purged 

10 every T seconds wherein T is the greatest latency expected in the network. When 
restarting a master after a system failure for example, that master must be capable 
of clearing all locks it may have acquired before it crashed. This is to allow other 
masters to update the other nodes in the VXN, particularly the failed node. 

15 In order to provide security measures to the VXN, each master node must 

also be capable of performing packet encryption. The encryption algorithm utilized 
in the preferred embodiment of the invention is also described in the flowcharts 
presented in Figures 5A and 5B. To effect the encryption process the master 
nodes are programmed with a set of encryption re-star keys and an encryption 

20 algorithm which are stored in their associated storage device. The encryption re- 
start keys are utilized to initiate the encryption algorithm. The encryption algorithm 
is designed to define each successive encryption key utilized for encrypting data 
packets. In this manner a dynamically changing encryption system is provided 
thereby adding an additional level of security. For example, suppose that a 

25 computer hacker intercepts an encrypted packet and determines its corresponding 
encryption key. That key would merely allow the de-encryption of that particular 
packet. This is because the next packet would be encrypted using a different key 
which is derived from a preceding key. This process of deriving an encryption key 
would occur by utilizing a key generating algorithm. Thus, in order to decrypt an 

30 entire message one would first have to ascertain and collect all of the packets of a 
particular message and then determine the underlying encryption algorithm used to 
encrypt the other packets. This is clearly more difficult that merely ascertaining a 
single encryption key. 

35 Furthermore, in th event that an encryption k y and the encryption 

algorithm w re ascertained by an unauthorized user, the VXN could be easily 
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implemented with a new key generating algorithm and set of restart-keys to thwart 
any successive security breaches. The process of changing the encryption 
algorithm or restart-keys occurs as part of the aforementioned system update 
procedure. 

5 

-< Finally, each master node is capable of periodically transmitting "dummy" 
*** Xi ^ i * packets over the network. Dummy packets are identical in form to legitimate data 
\^ ** packets and are transmitted for the purpose of determining the capacity of a path 
connecting a master node to a transaction node. Note, this dummy transaction 

io function is not the same as a PING (Packet Internet Groper) function which is well 
known in the art. A PING function merely determines whether a physical 
connection exists with respect to a specific IP address. The dummy packet utilized 
here, however, is a complete transaction. Thus, the dummy function provides a full 
scale measure of the transmission and computation latencies of a particular path in 

15 the VXN. The dummy process, therefore, spans all seven layers of the OSI model. 
This is superior to the PING function which only spans the lowest three layers. In a 
preferred embodiment of the invention a master performs the dummy function by 
sending a dummy packet to a transaction node via a randomly selected outbound 
edge and waiting for a reply. An edge is hereinafter defined as a Icommunication 

20 link between two adjacent nodes. A reply from a transaction node to a sending 
master node then provides the sender with information regarding the cajjacjtxof 
the particular path. The method for performing the dummy function in the preferred 
embodiment of the invention is described below with respect to Figure 4. As will be 
apparent to one skilled in the art, the capacity of ^gdngss" of a particular network ^pdM 5 > 

25 path is a measurement of the available throughput , response^ime and reliability of J^rW 
the path. Similarly, the absence of a response can notify the VXN that a particular 
node or link is not functioning. 



In the VXN system, each master node performs the "dummy" function 
30 whenever a temporal threshold has been exceeded since a last message has been 

received. For example, a dummy transaction could be sent whenever the expected ? 

upper limit for the roundtrip delay time for an i ncumbent edge has been exceeded. 

The round trip delay time is a concept well known in the art. As a result of the 

dummy function being performed at regular intervals, the VXN can, therefore, 
35 dynamically r spond to the changing network capabilities of the Internet. Thus, the 

VXN can continually transmit packets via differing paths according to the cheapest 
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and least loaded route. With each packet taking a potentially different route, the 
VXN can ojatimajlyjoaaj^ its network traffic while at the same time making it 
increasingly difficult to intercept an entire message. 



5 In the preferred embodiment of the invention the selection of the routes 

between nodes occurs on a pseudo-random basis dependant upon the capacity of 
all paths in the network. The probability of selecting an edge for transmission is 
proportional to the relative goodness of that edge to an other edges which are 
linked to the destination master node (i.e. the master node linked to a required 

to transaction server). This method of obtaining the capacity information utilized in 
this gleaning algorithm is explained in further detail below with respect to the flow 
chart presented in Figure 4. As will be apparent to one skilled in the art, however, 
the invention is not limited to using a gleaning algorithm and could easily utilize 
other routing algorithm known in the art such as d^jmjMouting or flood routing to 

15 name a few. ^ 

This VXN system described above, therefore, is an improvement over 
Jy/EWs known in the prior art for a number of reasons. First, the VXN spans all 
seven layers of the OSI model shown in Figurel. This means that the VXN 
20 functions as a distributed multiprocessor machine which^able to leam and adapt to 
the changing realities in the underlying packet-switched network and the VXN itself. 
Furthermore, the system provides superior security measures as it provides a 
dynamically changing and adaptive encryption algorithm for transmitting data- 
. packets. The VXN also provides additional security measures by transmitting data 

<^ 25 to server nodes in a pseudo random fashion. Finally, the system is superior to 



VPN's in that it enables the network to recover from lost data, failed host or system 
crashes by recording the various messages transmitted and received at a particular 
node along with a message ID and a time stamp. 



30 Figure 4A and 4B present flowcharts for the method steps taken by a 

master node when performing the dummy function. As mentioned previously with 
respect to Figure 3, a dummy function is a process whereby a master sends out a 
dummy packet of information to a d estination transaction server and awaits a reply. 
A "dummy" packet which is sent out to a destination transaction is hereinafter 

35 referred to as a "probe". Similarly, a reply to such a prob is hereinafter referred to 
as a "response". 
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Referring now to Figure 4A a flowchart for the method steps taken by a 
node when receiving a probe is presented. The method initiates at step 400 
wherein a probe is received at a node. At step 402 the receiving node then 
determines whether it is the des^inatio ^tra,nsa(AiQnj ode to which the probe is 
being sent. If the receiving node isjnot the destination node a copy of the probe 
and an associate timestamp is stored in the node at step 404. When a packet is w 
stored in a node along with a timestamp it is "enqued". After enqueing the probe, 
the receiving node then copies the probe and transmits it along each of its 
associated outbound edges at step 405. For example, referring to Figure 3 one 
can see that if a probe destined for node 304 is received at node 302, a copy of the 
probe will be sent to both node 304 and 305. 

If, on the other hand the (eoeiving node ^is the destination node, that node 
then sends a response to jhe adjacent node (from which)the probe was re ceived at 
step 406. When this response is received by the node which sent the probe, that 
sending node will then know the capacity of the particular path taken by the probe. 
At step 408 a copy of the response is enqued in the(re^M^n^ for the 
aforementioned updating purposes. ( 

Referring to Figure 4B a flow chart presenting the steps followed by a node 
receiving a response is shown. The method initiates at step 408 wherein the 
receiving node determines whether a probe associated with the response received 
is enqued in the node. If no associated probe exists, the response is merely 
destroyed at step 41 0. Upon verifying that an associated probe exists, the method 
proceeds to step 412 wherein the receiving node determines whether it is the node 
which generated the probe. If the receiving node is not the generating node, the 
receiving node^Se-enques^the probe at step 414. After de-enqueing the probe, the 
receiving node forwards the response to the adjacent node from whic h the original 
probe was received at step 416. Finally, a copy of the response is enqued in the 
receiving node at step 418. >^ 

In the event that the receiving node is the node which generated the probe, 
the node updates the capacity for the path taJs ejLbyJtbe.,probe to the destination 
node at step 420. In the preferred embodiment of the invention the capacity ° '"^ 
determination is performed by an exponential averaging algorithm which is well 
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known in the art. Following the performance of the update, the receiving node de- 
enquesth original probe at step 422 is then de-enqued and the method 
terminates. 

-? 

5 Figures 5A and 5B present flowcharts for the method steps taken by a ^tgs , 

master node for transmitting a message and receiving a packet respectively. ^ ^ <r & 9 ^' 

Beginning with Figure 5A^ a method for t ransmitti ng a message begins at step 500^, ^ 
wherein the transmitting node detennines whether a message has been received 
within a specified time period. This step is performed by utilizing a clock within the 
10 CPU of the master nodes which begins when the node is initialized. Proceeding to 

step 502, if the message has not been received within the specified time period, the t „/> 0 

transmitting node determines the capacity of a path to a transmission node by ^ 
^ sending a "dummy" packet along a randomly selected outbound edg e. As part of df.*"*' 

rJ0 • "dummy" function, the transmitting node resets the timer for prescribing when the , j 

<1 C v jA/*^" 

15 next "dummy" packet is sent. If, however, a message is received within a specified taM ) 

vM «> ' ~" "* "~" d**«yon rt 3 uW*<Js^? >w 

Lt r$ yfi I *' me P enoc1 ' tne transmitting master node procee^st&the next step of the 

j^WVy'v K methodology wherein that node packetizes the ffeceived jnessage 504. 



After packetizing the message the method proceeds to step 506 wherein 
the transmitting node determines whether a current encryption key (CK) is defined 
in its storage device. As mentioned previously, the CK is utilized for the purpose of 
determining the next encryption key for transmitting a packet by employing an 
encryption algorithm. If a CK is already defined, a new key (NK) is derived from the 
existing CK, using an encryption algorithm, and that key is defined as the new CK 
at step 508. Otherwise, the transmitting node selects a key from a set of restart 
keys (RK) and defines that key as the CK at step 510. Regardless of which 
process is used to define the CK, the methodology proceeds to step 512 wherein 
the packet to be transmitted is encrypted by the transmitting node using the CK. 



30 Once the packet which is to be transmitted is encrypted, the transmitting 

node attaches a unique message ID and a checksum to the packet at step 514. As 
mentioned previously with respect to Figure 3, the message ID and checksum are 
for purposes of identification and validation respectively. The packet is then 
transmitted, at step 516, to the next node in the VXN as prescribed by the routing 

35 algorithm described with respect to Figure 4. 

, 3 ^ «. fOvti*^ »\pri\^ t 
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After transmitting the packet the transmitting nod awaits verification from 
the receiving n ode at step 518. If a verification packet is not obtained within a 
specified time period the transmitting node returns to step 516 and re-transmits the 
package. Upon receiving a verification packet from the receiving node the ^j^d^ 

5 transmitting node derives an NK form the CK at step 520 using a key generating eWfc*** 
algorithm. At step 522 the transmitting node then determines whether the 
verification is positive or negative by attempting to de-encrypt the verificat ion 
message using the C K. If the transmitting node is unable to de-encrypt the 
verification message received that means the verification is negative. Upon 

10 receiving a negative verification packet the transmitting node attempts to de- 
encrypt that packet using the set of RKs at step 524. If the transmitting node is 
successful in de-encrypting the negative verification packet using the RKs, the CK 
is set to the successful RK at step 526. The transmitting node then returns to step 
506 and attempts to re-send the packet. Otherwise, the CK is cleared from the 

15 storage device of the transmitting node at step 528 and the process re-starts at 
step 506. Packets may be de-encrypted and re-encrypted, using the newly 
generated key at each node. 

Upon receiving a positive de-encryption verification packet |(/.e. the CK de- 
20 encrypted the verification message) the transmitting node determines whether the 
integrity of the packet is positively verified at step 530. If the packet integrity is not 
positively verified, the transmitting node re-transmits the message by returning to 
step 506. Upon receiving positive verification of the integrity of the packet the 
transmitting node makes a reco rd of the message ID, t he packe t, and a jjme _stamp 
25 in its associated storage device at step 532. Finally, the transmitting node 
determines whether all o f the packets for a particular message have been 
transmitted at step 534. If all of the packets have been transmitted, the method 
terminates. Otherwise, the method returns to step 506 and proceeds with the next 
packet to be transmitted. 

30 

The methodology followed by a receiving master node in the VXN is 
presented in Figure 5B. The methodology begins at step 536 wherein the receiving 
node determines whether a packet has been received within a specified time 
period. This process occurs in the same manner outlined above with respect to 
35 Figure 5A. Similar to th above methodology, if the message has not been 
received within the specified time period, the receiving nod determines the 
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capacity.of a path to a^ ransaction node) by sending a dummy packet to the 
transaction node along a randomly selected outbound edge at step 538. As part of 
this "dummy" transaction, the receiving master node resets the timer for receiving 
c \«s^ packets. If a ffiessag e)is received within a specified time period, the receiving 

5 master node proceeds to step 540 wherein the integrity of the packet is determined 
^ via the checksum received with the messagejjacket. If the integrity of the packet 

^i^V, has not been maintained during transmission, the receiving node selects an 

u ^>- : , \o*^ encryption key from the set of RKs at step 542. The receiving node then uses this 

' encryption key to encrypt a negative response message at step 544. After 

10 encrypting the negative response it is transmitted by the receiving node to the 
transmitting node at step 546. The process then re-starts at step 536 wherein the 
receiving node waits for a packet to be received. 

• Upon positively verifying the integrity of the packet, the receiving node 
15 determines whether a CK is defined at step 548. If a CK is defined, a NK is derived 
by the receiving node using a key generating algorithm at step 550. The receiving 
node then attempts to de-encrypt the packet using the NK at step 552. If, on the 
other hand, a CK is not defined, the receiving node attempts to de-encrypt the 
message using the entire set of RKs at step 554. The receiving node then 
20 determines if it was successful in de-encrypting the packet at step 556. If the 
receiving node is unsuccessful in de-encrypting the packet, the receiving node 
returns to step 542 and sends an encrypted negative response to the transmitting 



Upon successfully de-encrypting the packet, the receiving node defines the 
CK as the successful de-encryption key at step 558. The receiving node then 
derives a NK from the CK using a key generating algorithm and sets the CK to the 
NK at step 560. The receiving node then creates a positive acknowledgment 
message which is encrypted using the CK and sent to the transmitting node at step 
562. 

After a positive acknowledgement message is sent to the transmitting node, 
a record of the packet j eceive d is recorded in the receiving node at step 564. This ^4 
record includes the messageJD, a timestam pas sociated with the packe t and a 



35 copy of the packet itself. Once a record of the packet is madejhe receiving node 
then determines whether it is the destination node at step 566. If th receiving 
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nod is not the destination node, the receiving node then becomes amending node 
and begins th pack t sending methodology at step 506 (Figure 5A). 

In the event that the receiving node is the destination node, the receiving 
node determines whether all packets associated with a particular message have 
been received at step 568. If not all of the packets for a message have been 
received, the methodology is re-started at step 536. Otherwise, the receiving node 
assembles all the packets at step 570 and the methodology is complete. 

Further information describing the invention is found in Appendix A; 



While particular embodiments of the present invention have been shown 
and described, it is clear that changes and modifications may be made to such 
embodiments without departing from the true scope and spirit of the invention. 
15 Thus, it is intended that the present invention cover the modifications and variations 
of this invention provided they come within the scope of the appended claims and 
their equivalents. 

I 



SUBSTITUTE SHEET (RULE 26) 



WO 01/20430 



-19- 



PCT/CAOO/01073 



Appendix "A" 

Terms and Definitions 

The VXN is described in a graph-theoretic [2] sense as a directed graph, G, 
comprising N vertices V = {v} and M edges E = {e} representing virtual connections 
(VC) between vertices (these connections are made in the underlying packet 
network) with the following properties: 

1. A vertex is a computer in the VXN. It may be a client, server, or master. 

2. A server is a source or sink of information. A client may request 
information from a server or update information in a server. 

3. At least one vertex must be a master. 

4. The set of masters acts to manage the VXN. 

5. Edges are either one-way or two-way VCs. 

6. Any vertex with more than one incident edge must also act as a router in 
the VXN. 

7. 6 is irreflexive. 

8. A path or route is a sequence (ordered set) of edges that allows the 
transmission of data from vertices y t to vertex v h denoted as i->j. 

9. There must be at least one full-duplex path between every vertex and 
every other vertex: Vi,j,i*j :3i-*jj-> i. 

10. There must be at least one full-duplex path between each master and at 
least on other master. 

1 1 . A scalar d, e [0,1] is associated with each edge e f . Each d ( represents 
the capacity of the VC e,. Capacity is a heuristic measure that is 
normalized weighted sum of the available bandwidth, throughput and 
the reliability of the conn ection in the underlying packet network forming 
the VC. 

12. G is dynamic - vertices may be added, deleted, edges added or 
deleted, and the {dj updated, in a manner as to ensure that G remains 
consistent with the properties herein. 



Routing 

The goal of the routing algorithm is to ensure that the following occur: 
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• The VXN utiliz s the underlying packet network efficiently. 

• The VXN routes queries stochastically to reduce the likelihood of entire 
transactions being reconstructed by a packet interceptor in the 
underlying packet network to the VXN. 

• All client-to-server queries are routed through at least one master. 

• All server-to-client responses are routed through at least one master. 

A preferred embodiment of the VXN Routing Algorithm (VRA) consists of the 
following: 

1 . An N x M cost matrix, K,, in each vertex v,. Each K (n,m) element of K, 
contains the minimum cost of transmitting data from v f to v n by the least 
expensive path from v ; to v„ that begins with edge e m . K (n,m) is zero if 
e m is not incident on v,. The set of K, may be computed using a variety 
of dynamic programming techniques, such as the Bellman-Ford 
algorithm or the Dijkstra algorithm [1], The set of K, matrices is pre- 
computed and downloaded to all vertices as part of the setup of the 
VXN. Thereafter the Ki are periodically 
by the master in charge of the update. 

2. A cost vector derived from K t that contains the minimum cost of reaching 
a master via a path that originates along each outbound incident edge of 

V/. 

3. The cost of a path is defined as the sum of the reciprocals of the d, of 
the edges that comprise the path. 

4. Every message originating in a node of the VXN is stamped with the ? 
source and destination address of the message. 

5. Every vertex, except the destination vertex, routes a message along one 
of its outbound incident edges (excepting the edge on which the query 
was forwarded to it if it is not the originating vertex) to a neighbouring 
vertex in a manner that the probability of selecting outbound edge e m to 
route the message to destination v„ is 
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P(m) = 



_ K(n.m) 
' IK(h,i) 



5 



6. 



Here /' includes all outbound edges except the one on which the 
message came into the node. 

If the destination address is a wildcard representing the nearest master 
node, the cost vector to the nearest master (derived in 2, above) is used 



instead of K(n,m) to compute P(m). 
Other embodiments of the VRA may include variations of the above such as 
adaptive routing schemes where each node autonomously updates its routing 
functions by either querying its nearest neighbors or by gleaning routing metrics 
10 from the data packets that flow through it. Even other routing algorithms such as 
flood routing and dumb routing are possible though network efficiency may be 
compromised to some extent. 



acknowledgment of receipt; retransmissions are generated if the 

acknowledgment is not received. 
20 • The sending vertex encrypts the message (as described later), attaches a 

checksum and a u^Tiqu^nessageJD to it and transmits it to the recipient The 

recipient verifies the integrity of the message and transmits a positive or 

negative acknowledgment to the sender citing the message ID in its response. 

If the acknowledgment is positive, the recipient records the message ID and a 
25 timestamp in a transient database which is purged periodically (on the order of 

10 round-trip delays down the slowest link to the nearest neighbour). If the 

acknowledgment is negative no record of receipt is kept. 

• If the sender receives either a negative acknowledgment or no 
acknowledgment within a time window that is P s ropojrtional to the round-trip 

30 delay of the edge, the message is retransmitted with the same message ID. 

• A recipient receiving a duplicate message ID from the same sender discards 
the message and sends back the previous acknowledgment to the sender. 



15 



The following communication format is employed in the VXN, according to a 
preferred embodiment of the invention. 

• lyery comm unication along an edge in the VXN involves positive 



Data Transmission Format 
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• If the recipient is not the d stination node, it must forward the message after re- 
encrypting it with a different key (see below) using the routing criteria previously 
described. 

• A timer is associated with the edges of every node. When a packet is sent or 
5 received or an acknowledgment transmitted, the timer is reset. If a timer 

expires for a given edge a dummy packet is generated (whose destination 
address is the node at the other end of the edge) and transmitted along the 
edge. With each timeout, the d m for the link is downgraded (causing traffic to 
tend to take other routes). 
io • C"Ping n packets are periodically transmitted between a node and its nearest 

/ neighbours, and the turnaround time is used to update d m using an exponential- 
/ averaging algorithm. 

Encryption 

15 Preferably, every edge in the VXN is associated with the following data structure 
that is common to the vertices it joins: 

1. An encryption/decryption algorithm (EA). 

2. An algorithm to derive a unique new key using the old key and the 
plaintext encrypted by the old key. A number of algorithms are available 

20 for this purpose, the simplest of which use a conjunction of a number of 

bits of the old key and the previous plaintext encrypted to derive a seed 
which is supplied to a key generating algorithm to obtain the new key. 

3. A set of restart keys (RK) that is relatively large, but still a small set of all 
possible keys, such that attempting to decrypt a message using all 

25 possible restart keys should be much less than the round-trip time for 

the incumbent edge. 



Preferred encryption methodology: 

1 . When a vertex transmits a message down an edge for the very first time, it 
30 randomly selects a key from the set of RK and records this key as the current 

key (CK). 

2. When a vertex receives a message via an edge for the very first time it 
sequentially tries keys from the set of RK to decrypt the message until it finds 
the key used by the sender and records this as the CK. It uses the CK to return 

35 an acknowledgment (ACK) to the sender and derives a new key (NK) from the 
CK as described above. 
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3. When a recipient cannot decipher a message from a sender, it tries the set of 
RK and r cords the successful key as the CK. If the ncoding key cannot be 
found it returns a negative acknowledgment (NAK) using an RK to form the 
NAK. 

5 4. When the recipient positively acknowledges the receipt of a message to the 
sender, it derives a new key from the current key and makes the former the 
current key. 

5. When a sender receives a positive acknowledgment from the recipient, it sets 
the CK to the NK. 

10 6. When a sender does not receive an ACK after several retries, it sets the CK to 
a random key from RK, chooses a new message ID and retransmits the 
message. 

7. All transmissions, including positive and negative acknowledgments are 
encrypted. 

15 8. The entire message excepting the message ID is encrypted. 



Database Replication and Redundancy 

Every master contains a System Database with the following information pertaining 
to the operation of the VXN: 

• The set of vertices, V. 

• The set of edges, £. 

• A connectivity matrix completely describing the topology of G along with 
the complete set of {d^. Each node can be updated by any master 
using a lock database operation and an update database operation that 
ensure that, if necessary, any subset of V can be simultaneously 
updated. Each database update operation is reversible to allow any 
number of nodes to be synchronously updated. If a synchronous 
update cannot be completed, all databases are rolled-back to their 
previous state. 

• The computed set of {KJ. 

• The set of d m from which the {K} are derived. 

• The encryption algorithm and RKs associated with each {ej. 



In addition each server preferably contains an accounting database that records its 
35 transactions for billing purposes. The Accounting Database and its manipulation 
have the following rules: 
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If desired by the application being implemented on the VXN. a server's 
accounting database may be r plicated at a collection of oth r vertices 
in G using an incremental synchronous update. 
All updates are timestamped. 



The following are the properties of the System Database and its manipulation: 

• Only masters may update the System Database. 

• All system database updates are synchronous operations where all the 
masters are simultaneously updated. If a master cannot be updated the 

10 operation is aborted and none are updated. 

• Preferably, all system updates are timestamped with a universal time 
code that is obtained from a highly accurate clock (such as from the 
Global Positioning System). 

• If a master is restarted following a system crash, it would compare the 
15 timestamp of its system database with another master, and if not 

current, update its copy of the system database from the nearest 
master. During the copy the source master's system database would be 
locked, preventing any other system database updates. 

• Every master maintains its queue of housekeeping functions (such as 
20 downloading the set of d m from each node, computing the {KJ and 

uploading these to every node). Periodically, as determined by the 
timer associated with each housekeeping function, with probability less 
than unity (depending upon the master's CPU load and the state of its 
links), a master may select a function to be performed across the VXN. 

25 Before it may do this, it must synchronously set a flag in the system 

database of all masters to ensure that no other master attempts the 
same function at the same time. It obtains the lock, it must perform the 
function and release the lock (or release the lock if the function cannot 
be performed for any reason). 

30 • When a master restarts it must clear all locks it may have acquired 

before it crashed. 



It will be appreciated that the above description relates to the preferred 
embodiment by way of example only. Many variations on the invention will be 
35 obvious to those knowledgeable in th field, and such obvious variations are within 
the scope of the invention as described, whether or not expressly described . 
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WHAT IS CLAIMED IS: 

1 . A method for providing secure transactions over a packet-switched 
communication network comprising the steps of: 

transmitting a probe packet to an adjacent node; 
5 receiving a plurality of response packets to said probe specifying the 

capacity of a plurality of transmission paths; and 

transmitting a data packet to a destination node on one of said transmission 
paths based on said responses. 

10 2. A method for providing secure transactions over a packet-switched 
communication network comprising the steps of: 
receiving a probe from an adjacent node; 

forwarding said probe to at least one other adjacent node in response to 
receiving said probe at a node which is not a destination node; and 
15 sending a reply in response to receiving said probe, when said probe is 

received at a destination node. 

3. A method for providing secure transactions over a packet-switched 
communication network comprising the steps of: 
20 receiving an encrypted data packet using a current encrypted key; 

de-encrypting said encrypted key from said current encryption key using a 
key generating algorithm; 

defining said new encryption key as said current encryption key; 
encrypting said data packet using said current encryption key; and 
25 transmitting said data packet to an adjacent nod. 
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4. A method for transmitting an electronic transaction message comprising a 
plurality of data packets comprising the steps of: 

adding at least one of a time stamp or a message identifier number to each 
of the plurality data packets; 
5 storing a portion of each of the data packets in an electronic transaction 

database; and 

recovering a previous state of the electronic transaction database using 
said added at least one of a time stamp or a message identifier number. 
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FIGURE 1 
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FIGURE 2 
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FIGURE 4A 
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